Is it possible to configure a certificate using Azure Automation DSC?

This topic contains 4 replies, has 3 voices, and was last updated by  GS 1 week, 6 days ago.

  • Author
    Posts
  • #100356

    Mark Kharitonov
    Participant

    Hi,

    I have a certificate asset in Azure Automation account. I also have a Windows Server 2016 on-premises machine on-boarded to Azure Automation DSC. My goal is to install the certificate into the LOCAL_MACHINE\My certificate store on that server and grant a certain domain account access to the private key.

    I found the CertificateDsc resource on GitHub, but it does not seem to suit the bill. Am I missing anything? This seems to be a pretty mainstream configuration task, so there must be such a resource already, I just cannot find it.

    Any help is much appreciated. Thank you.

  • #100357

    Will Anderson
    Keymaster

    Potentially? I've not done this before, but if you're using Azure Automation DSC, You might be able to leverage the Get-AutomationCertificate cmdlet. Much like the Get-AutomationPSCredential cmdlet, you should be able to call it in your config. But it looks like it grabs the entire certificate object, so you might have to leverage the xScript resource or create a custom resource to import the object instead of feeding it a path and other info.

  • #100362

    Mark Kharitonov
    Participant

    I am aware of the possibility to create a custom resource. But I would like to concentrate on configuring the servers, rather than developing (and hence spending time to debug and fix bugs) resources.

    Therefore, I am checking if I am missing something that already exists, because I cannot imagine configuring a web server without configuring SSL certificates. Pretty basic stuff.

    Now, suppose I use Get-AutomationCertificate to get the certificate object. What is next? It is unclear how to proceed from there to installing it on the machine.

  • #100407

    Mark Kharitonov
    Participant

    My current solution is as follows:

    1. Place the PFX file in an Azure File Storage and obtain the SAS token.
    2. Add the credentials to the PFX file as an Azure Automation Asset
    3. Use the following DSC configuration to ensure the certificate is installed:
        Configuration QAWebServer
        {
            Import-DscResource -ModuleName xPSDesiredStateConfiguration
            Import-DscResource -ModuleName CertificateDsc
        
            $MyServerCertPfxCred = Get-AutomationPSCredential -Name MyServerCert
        
            node localhost
            {
                xRemoteFile GetMyServerCertPfx
                {
                    Uri             = "https://***.file.core.windows.net/***"
                    DestinationPath = "$env:TEMP\MyServerCert.pfx"
                }
        
                PfxImport ImportMyServerCertPfx
                {
                    Ensure     = "Present"
                    DependsOn  = "[xRemoteFile]GetMyServerCertPfx"
                    Thumbprint = "***"
                    Path       = "$env:TEMP\MyServerCert.pfx"
                    Location   = "LocalMachine"
                    Store      = "My"
                    Credential = $MyServerCertPfxCred
                }
            }
        }
    

    There is, however, a problem – the certificate is left on the target machine. I would like to avoid it.

    One idea could be instead of copying the certificate to share the Azure File Storage container having the PFX file and install it from the share, but then the share remains permanently mounted on the target machine – essentially the same problem.

    I am looking for a way to ensure the certificate is present without leaving a trace.

    I thought I could add a File resource with Ensure = "Absent" and make it depend on the PfxImport resource, but then how will it work? Will it constantly download the certificate, ensure it is installed (it would be) and then delete it again? Doing this every 30 minutes? Is this the right approach?

  • #100422

    GS
    Participant

    You can compile Azure Automation Variable into DSC and provide to your machine and perform import of that blob as part of DSC. I'm doing something similar with swarm template in Azure which requires SSL certs to be present on client (https://artisticcheese.wordpress.com/2018/04/20/arm-template-for-deploying-windows-based-docker-swarm-in-azure/) and here is part where this certificate is being extracted into file system, so on last step instead of saving it into file system you will just impport it into certificate store. https://github.com/artisticcheese/dockerswarmarm/blob/master/swarmhost.ps1

You must be logged in to reply to this topic.